1

We are implementing smartcards to comply with two-form authentication using the builtin support in Windows + AD, using YubiKeys and Gemalto .NET cards.

As an admin I can issue new certificates for the users and install such certificates in the smartcards with no additional 3rd party tools, but simply with the current builtin support in Windows. What I need is a management tool that could keep track of my cards and help to manage certificates in them, expiration date, password policies, etc.

I have not been able to find any solution on the market besides Versasec. While versasec tool does all I need, their sales and support is awful Ignoring the ugly interface). Other companies only provide tools for infrastructure aimed to physical access and the like, but none so far to support logical access for windows Workstations.

Any advice will be appreciated.

Ricardo C
  • 193
  • 6
  • Any reason the windows certificate management console isn't good enough? – Jacob Evans May 24 '17 at 19:59
  • @JacobEvans not "good enough" simply "not good at all". The certificates do not exist in the local computer, they are in the smart card (they can also be copied to AD), and we are talking about dozens or hundreds of users in a domain. This is not for personal use, but a group of users. – Ricardo C May 26 '17 at 16:28
  • right, don't you sign them with your Windows CA? – Jacob Evans May 26 '17 at 16:31
  • 1
    @JacobEvans a certs operator/admin request the cert on behalf of the user, it is issued by the CA and signed by the admin, then stored in the card. also, as i mentioned, there is the issue with password policy enforcement (no, windows cannot enforce this), unlocking card, card inventory. – Ricardo C May 26 '17 at 16:57

1 Answers1

0

I'm not sure about the management of YubiKeys however regarding the Gemalto product line you should first know that the IDPrime .NET line has been discontinued and the IDPrime MD product line will be the replacement . Per Gemalto:

We’d like to update you that we are announcing End of Sale for the following smart cards:

IDPrime .Net  
IDPrime .Net Bio

Key Dates:

Milestone     Date

Last-Time-Buy (LTB)   September 29, 2017  
End-of-Sale (EOS)     September 30, 2017  
End-of-Life (EOL)     September 30, 2018

With smartcard management it really comes down to scope. If you have a large number of cards, it makes sense to invest in a CMS (Card Management System) such as Microsoft FIM, Verasec vSEC:CMS, Gemalto IDAdmin 200, etc. For small deployments there are really only three points to address and all can be achieved via freely available tools.

  1. Admin PIN - on Gemalto cards this is a 24 byte value set to 0x00 by default. The Verasec vSEC:CMS K-series tool will enable this to be changed to a random value. Thus if the smartcard is lost, the certificates will not be recoverable as only 5 failed admin logins are allowed. Be sure to securely document the new Admin PIN for it will be needed to perform the following tasks:
    1. Unblock User PIN
    2. Set User PIN Policy
    3. Other Admin Activities (reset card, manage other roles, etc.)
  2. Card Management - this activity mostly includes setting User PIN policies, though it can extend into managing other User Roles. Verasec vSEC:CMS K-series does a sufficient job though Gemalto's Minidriver Manager is much more comprehensive. Just be sure to add the applicable Admin PIN to the MD_Manager.ini file so you can logon as the admin role. The Gemalto Minidriver Manager can natively perform all management duties except change the Admin PIN.
  3. Unblock User PIN - Verasec vSEC:CMS K-series offers this functionality and Gemalto offers a tool called Response Calculator.
user2320464
  • 789
  • 5
  • 14